Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Google Adds Hardware Security Key For Account Protection

Google is introducing an improved two-factor authentication system for Gmail and its other services that uses a tiny hardware token that will only work on legitimate Google sites.

Google is introducing an improved two-factor authentication system for Gmail and its other services that uses a tiny hardware token that will only work on legitimate Google sites.

The new Security Key system is meant to help defeat attacks that rely on highly plausible fake sites that are designed to capture users’ credentials. Attackers often go to great lengths to create fake Gmail or Google Accounts sites that look exactly like the real ones. They then try to lure or direct users to those sites through phishing emails or other tactics in order to get them to enter their Google account credentials. The attackers then will take over the accounts.

The hardware Security Key is a small USB token that implements the FIDO Alliance’s Universal 2nd Factor specification. It’s meant for users who require a higher level of security on their accounts and users can buy them from Amazon or other retailers now.

“Security Key is a physical USB second factor that only works after verifying the login site is truly a Google website, not a fake site pretending to be Google. Rather than typing a code, just insert Security Key into your computer’s USB port and tap it when prompted in Chrome. When you sign into your Google Account using Chrome and Security Key, you can be sure that the cryptographic signature cannot be phished,” Nishit Shah, security product manager at Google, said in a blog post.

Google has offered two-step verification for Gmail users for nearly four years now. The basic system relies on a simple process that uses an app on mobile devices to send a short verification code that a user must enter, along with her username and password, when she logs in from a new device. The system is designed to protect users against account takeovers by requiring physical access to the mobile device. But it doesn’t protect against all kinds of attacks, including the use of sophisticated phishing sites to capture credentials.

“With 2-Step Verification, Google requires something you know (your password) and something you have (like your phone) to sign in. Google sends a verification code to your phone when you try to sign in to confirm it’s you. However, sophisticated attackers could set up lookalike sites that ask you to provide your verification codes to them, instead of Google. Security Key offers better protection against this kind of attack, because it uses cryptography instead of verification codes and automatically works only with the website it’s supposed to work with,” Google’s description of the new system says.

The Google Security Key system only works in Chrome right now, but if other browsers and additional sites implement the U2F protocol, the same Security Key will work with them, too.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.